- From: イアンフェッティ <ifette@google.com>
- Date: Mon, 15 Mar 2010 09:38:25 -0800
- To: Mary Ellen Zurko <mzurko@us.ibm.com>
- Cc: public-wsc-wg@w3.org
- Message-ID: <bbeaa26f1003151038w7b455edboa5da05bfbb78d819@mail.gmail.com>
Given that I don't know anyone who actually uses this, and that current best-practice seems to be to tell users to look for https, and given that a user has no good way a-priori to know if the connection is going to be / is supposed to be secure, I am reasonably content to totally ignore http used with TLS per RFC2817. Am 15. März 2010 09:15 schrieb Mary Ellen Zurko <mzurko@us.ibm.com>: > fyi; first feedback to LC > > > ----- Forwarded by Mary Ellen Zurko/Westford/IBM on 03/15/2010 01:13 PM > ----- > > From: Krzysztof Maczyński <1981km@gmail.com> > To: <public-usable-authentication@w3.org> > Date: 03/12/2010 09:41 AM > Subject: Don't favour https > Sent by: public-usable-authentication-request@w3.org > ------------------------------ > > > > Dear WG, > > Section 5.2 of Web Security Context: User Interface Guidelines seems to > favour the https scheme over http used with TLS as specified by RFC 2817. On > the other hand, the W3C Director, TAG, IANA and other parties have indicated > many times that URI schemes should be employed only if they enable > identifying with URIs a class of resources semantically distinct from what > other schemes already cover. Security characteristics of access to a > resource are orthogonal to the identity of the resource itself (proof: the > same resource can be made available by both means). Therefore, https is > redundant and SHOULD NOT be used, since its range coincides with that of > http. Please redefine “strongly TLS-protected” to include http with RFC > 2817. > > Best regards, > > Krzysztof Maczyński > Invited Expert, HTML WG > > >
Received on Monday, 15 March 2010 17:39:00 UTC